Security threats Toolkit

Liberty Alliance takes on ID theft

Tags:
Phishing

Joris Evers CNET News.com

Published: 14 Jun 2005 15:50 BST

In the wake of several high-profile data breaches, the Liberty Alliance is branching out to take on identity theft.

The organisation, formed to develop technology standards for online authentication, plans to launch its Identity Theft Protection Group on Tuesday. Headed by representatives from American Express and Fidelity Investments, the new effort plans to release an identity theft glossary next month and to subsequently come up with ways to prevent ID theft.

"I am concerned that unless we do something as an industry, this problem is going to get worse and worse, to the point that it is no longer a question of if your identity gets stolen, but when," Michael Barrett, co-chairman of the Identity Theft Prevention Group and a security executive at American Express, said in an interview on Monday.

Identity-related crime such as phishing threatens the growth of the Internet, Barrett said. The Identity Theft Prevention Group hopes to become a hub for efforts to combat the issue. It plans to first define and dissect the problem and then develop solutions, which could be technical specifications, policy best practices or business guidelines, Barrett said.

The launch comes in the wake of several high-profile data loss incidents that exposed American consumers to identity risk. Last week, CitiFinancial said tapes containing unencrypted information on 3.9 million customers were lost by the United Parcel Service while in transit to a credit bureau. CitiFinancial is the consumer finance subsidiary of Citigroup. In past months, data leaks have been reported by Bank of America and Wachovia, data brokers ChoicePoint and LexisNexis, and the University of California at Berkeley and Stanford University.

The alliance's Identity Theft Prevention Group claims to be the first to address the issue from a multiorganisational perspective. It includes technology vendors, financial services organisations, law enforcement and others, Barrett said. Non-Liberty members can participate through a liaison program.

Liberty is not alone in fighting the problem. Organisations such as the Better Business Bureau and the Federal Trade Commission have made efforts to educate consumers and prevent identity theft. So have groups including the Anti-Phishing Working Group.

A larger, collaborative effort is welcome, said James Van Dyke, a principal analyst at Javelin Strategy & Research, which publishes an annual report on identity fraud. However, Liberty should start by renaming its working group the Identity Fraud Protection Group, he said. "The ultimate thing we are trying to stop is identity fraud," Van Dyke said.

Education is key to the push, Van Dyke said. He noted that the Internet is a double-edged sword, in that it can be abused to commit identity fraud, but consumers can also use it to monitor accounts and get rid of paper statements that could be used by bin-diving ID fraudsters.

Also, contrary to popular belief, ID fraud in most cases is not committed by hackers far away in another country, Van Dyke said. In 54 percent of the ID theft cases, the perpetrator is somebody the victim knows, such as a relative, friend or domestic employee, he said.

Jonathan Penn, an analyst at Forrester Research, said the Liberty Alliance should not overreach itself. The group could be a clearinghouse for ID theft issues, but really its strength is in developing technical specifications, he said. "There should be some definition of Liberty's purpose and scope -- for example, focusing on technical solutions that would be adopted across various industry sectors," he said.

Though public perception may be that identity fraud is rampant, the number of victims has actually decreased in the past years. A spring 2003 study by the FTC found that 10.1 million people, or 4.6 percent of the adult US population, were the victims of ID fraud. In an identical study 18 months later, Javelin found that 9.3 million people, or 4.25 percent of the population, had been hit by such crime.

As the number of ID fraud incidents has decreased, the amount of money involved has risen. In 2003, victims' losses averaged $5,072 per incident, for a total of $51.4bn (£28.5bn). In the autumn of 2004, Javelin found an average loss of $5,686, for a total of $52.6bn (£29.2bn), Van Dyke said. In both the FTC and Javelin surveys, about 4,000 people were interviewed by telephone.

The Liberty Alliance was established in 2001 to create an open authentication platform that would enable people to use a single sign-on for participating Web sites. The federated identification push was a response to Microsoft's closed Passport technology. The Liberty effort, originally sponsored by Sun Microsystems and about 30 other companies, has continued to expand. It currently counts more than 150 companies, nonprofit and government organisations as members. Specifications developed by the group are supported in several products.

Liberty has scheduled its first Identity Theft Workshop for 20 July in Chicago.